https://github.com/osquery/osquery logo
Powered by
Title
s

sundsta

07/22/2019, 5:15 PM
Other, non-events queries work fine
z

zwass

07/22/2019, 5:16 PM
Which events tables are you accessing?
Is this the live query interface, or scheduled queries?
s

sundsta

07/22/2019, 5:17 PM
I tried 
SELECT * FROM file_events LIMIT 10
and 
SELECT * FROM process_events LIMIT 10
Distributed queries, in the UI
z

zwass

07/22/2019, 5:18 PM
file_events
requires that you configure the watch paths. Did you do that?
s

sundsta

07/22/2019, 5:22 PM
I have not... I'll look into that. Still, I believe process_events should work without any additional config
z

zwass

07/22/2019, 5:26 PM
I believe the 
process_events
needs additional configuration (outside of osquery) as well. See https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-auditing
Some that do not need additional config are 
disk_events
(try opening a dmg) or 
hardware_events
(plug any usb device)
s

sundsta

07/22/2019, 5:27 PM
I had not seen that page, thank you
Still no luck on 
process_events
, even after modifying the audit config and a reboot
Now testing with 
osqueryi
if that matters at all
z

zwass

07/23/2019, 4:25 PM
For any of those event types? What does your config look like?
3 Views
#macosJoin Slack
Powered by